All users are strongly encouraged to upgrade to the latest versions of PHP 7.3.11 and PHP 7.2.24.

Vulnerability in PHP7 exposes sites to remote hacking risk

while this is all great... would recommend to "kiss more" (keep it simple (and beautiful))

while this is all great… would recommend to „kiss more“ (keep it as simple as possible (and beautiful)) unless one wants everybody to lose control) complexity increases the likelyhood of errors (that WILL be found by humans or AI) having no quality management for software development/use-case-test system(s) is death.

The problem only applies to NGINX servers with PHP-FPM enabled.
image

A dangerous vulnerability (CVE-2019-11043) has been identified in the PHP 7 branch, which allows attackers to execute commands on the server using a specially generated URL.

According to experts, the bug is already actively used in attacks. The process of its operation is quite simple, besides the problem is compounded by the fact that earlier this week on the portal GitHub was posted PoC-code to identify vulnerable servers. As explained by experts, finding a vulnerable server, “ an attacker can send specially formed requests, adding ‚?a=‘ in the URL“.

It is noted that the problem applies exclusively to NGINX servers with PHP-FPM (a software package for processing scripts in PHP) enabled. Vulnerable configurations are nginx, where the probros in PHP-FPM is carried out with the separation of parts of the URL using „fastcgi_split_path_info“ and the definition of the environment variable PATH_INFO, but without first checking the existence of the file Directive „try_files $fastcgi_script_name“ or the construction “ if (!-f $document_root$fastcgi_script_name)“. Example of vulnerable configuration:

„With a specially crafted URL, an attacker can achieve a path_info pointer offset by the first byte of the _fcgi_data_seg structure. Writing a zero to this byte will move the pointer ‚char* pos` to a previously running memory area, called by the FCGI_PUTENV trace overwrites some data (including other cgi AST variables),“ the vulnerability description States. With this technique, an attacker can create a dummy variable PHP_VALUE fcgi and achieve code execution.

The developers released a patch for this vulnerability last Friday, October 25.

src and thanks: https://www.securitylab.ru/news/502087.php

regular update cycles:

Powerdown, snapshot, update, test… every week…

CentOS7 how to update to php 7.3:

snapshot/backup… in the way one should do.

hostnamectl; # tested on
Operating System: CentOS Linux 7 (Core)
CPE OS Name: cpe:/o:centos:centos:7
Kernel: Linux 5.X.X
Architecture: x86-64

php -v; # check currently used php version
yum update; # update all packages
yum upgrade;
yum install https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
yum install http://rpms.remirepo.net/enterprise/remi-release-7.rpm
yum install yum-utils
yum-config-manager --enable remi-php73 
yum install php php-mcrypt php-cli php-gd php-curl php-mysql php-ldap php-zip php-fileinfo 
php -v
/scripts/reboot.sh 

thanks to: https://www.tecmint.com/install-php-7-in-centos-7/

admin